diff --git a/.github/workflows/backend_deploy_workflow.yaml b/.github/workflows/backend_deploy_workflow.yaml
index b3d6f0555..7ffe410e4 100644
--- a/.github/workflows/backend_deploy_workflow.yaml
+++ b/.github/workflows/backend_deploy_workflow.yaml
@@ -12,10 +12,6 @@ on:
         description: "version to deploy"
         required: true
 
-permissions:
-  contents: read
-  id-token: "write" # needed for using open id token to authenticate with GCP
-
 jobs:
   build_and_deploy_backend:
     name: Build and deploy back-end
diff --git a/.github/workflows/backend_test_workflow.yaml b/.github/workflows/backend_test_workflow.yaml
index 8674c8ea2..43e03171e 100644
--- a/.github/workflows/backend_test_workflow.yaml
+++ b/.github/workflows/backend_test_workflow.yaml
@@ -2,11 +2,6 @@ name: Test back-end
 
 on: [workflow_call]
 
-permissions:
-  contents: read
-  pull-requests: read
-  checks: write
-
 jobs:
   test_backend:
     name: Test back-end
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
index 879cf2947..6ad9cfa41 100644
--- a/.github/workflows/build_and_test.yaml
+++ b/.github/workflows/build_and_test.yaml
@@ -8,4 +8,8 @@ concurrency:
 
 jobs:
   test_backend:
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     uses: ./.github/workflows/backend_test_workflow.yaml
diff --git a/.github/workflows/deploy_production.yaml b/.github/workflows/deploy_production.yaml
index 73fd1ab97..a4e4e8151 100644
--- a/.github/workflows/deploy_production.yaml
+++ b/.github/workflows/deploy_production.yaml
@@ -11,11 +11,18 @@ concurrency:
 
 jobs:
   test_backend:
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     uses: ./.github/workflows/backend_test_workflow.yaml
 
   build_and_deploy_backend:
     needs: test_backend
     uses: ./.github/workflows/backend_deploy_workflow.yaml
+    permissions:
+      contents: read
+      id-token: "write" # needed for using open id token to authenticate with GCP services
     with:
       environment: "production"
       version: ${{ github.ref_name }}
diff --git a/.github/workflows/deploy_staging.yaml b/.github/workflows/deploy_staging.yaml
index 9f0d0fe7c..9498dc884 100644
--- a/.github/workflows/deploy_staging.yaml
+++ b/.github/workflows/deploy_staging.yaml
@@ -11,11 +11,18 @@ concurrency:
 
 jobs:
   test_backend:
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     uses: ./.github/workflows/backend_test_workflow.yaml
 
   build_and_deploy_backend:
     needs: test_backend
     uses: ./.github/workflows/backend_deploy_workflow.yaml
+    permissions:
+      contents: read
+      id-token: "write" # needed for using open id token to authenticate with GCP services
     with:
       environment: "staging"
       version: latest